ISE Posture

Alcides Miguel · ‎05-28-2016

Hello,

I'm configure posture in ISE for VPN users using any connect but client fail while trying ti download the software from portal.

Please help,

Regards,

Marvin Rhoads · ‎05-29-2016

So in this sort of case we typically have a "pre-auth" or "compliance unknown" sort of ACL applied to allow access to the essential services and resources required to become compliant and be authorized.

Have you allowed access to both the ISE server and the internal DNS in that ACL?

Alcides Miguel · ‎05-29-2016

Hello Marvin,

Thanks for your reply... bellow is the ACL that I'm using in redirect ACL.

access-list PSN_REDIRECT extended deny udp any any eq domain
access-list PSN_REDIRECT extended deny ip any host 10.10.48.135 /// PSN
access-list PSN_REDIRECT extended deny ip any host 10.10.48.136 /// APN
access-list PSN_REDIRECT extended deny ip any host 10.16.41.35
access-list PSN_REDIRECT extended permit tcp any any eq www
access-list PSN_REDIRECT extended permit tcp any any eq https

It seems that the client is trying to connect to cisco.com

[Sun May 29 18:17:42.006 2016][acisensa][debug][hs_transport_winhttp_get] unable to send request: 12007
[Sun May 29 18:17:42.006 2016][acisensa][debug][IseDiscovery::HttpDiscoveryCallback] Http callback, target enroll.cisco.com, stat=-5, 0
[Sun May 29 18:17:42.880 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:17:43.894 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:17:44.908 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:17:45.922 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:17:46.889 2016][acisensa][debug][hs_transport_winhttp_get] unable to send request: 12002
[Sun May 29 18:17:46.889 2016][acisensa][debug][IseDiscovery::HttpDiscoveryCallback] Http callback, target 192.168.66.161, stat=-5, 0
[Sun May 29 18:17:46.936 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=0, target status=-5
[Sun May 29 18:57:35.697 2016][acisensa][info][hs_log_init_oneshot] Logging system startup
[Sun May 29 18:57:35.697 2016][acisensa][info][CNsaWizardDlg::CNsaWizardDlg] Cisco ISE Network Setup Assistant started.
[Sun May 29 18:57:35.713 2016][acisensa][debug][UITranslator::Initialize] Localization path is C:\Users\suise01\Downloads\NACWebAgent\l10n, working path is C:\Users\suise01\Downloads, locale is pt-pt
[Sun May 29 18:57:36.790 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=2, target status=2
[Sun May 29 18:57:37.804 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=2, target status=2
[Sun May 29 18:57:38.819 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=2, target status=2
[Sun May 29 18:57:39.834 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=2, target status=2
[Sun May 29 18:57:40.801 2016][acisensa][debug][hs_transport_winhttp_get] unable to send request: 12002
[Sun May 29 18:57:40.801 2016][acisensa][debug][IseDiscovery::HttpDiscoveryCallback] Http callback, target 192.168.66.161, stat=-5, 0
[Sun May 29 18:57:40.848 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:57:41.863 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:57:42.877 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:57:43.892 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=1, target status=-5
[Sun May 29 18:57:44.875 2016][acisensa][debug][hs_transport_winhttp_get] unable to send request: 12007
[Sun May 29 18:57:44.875 2016][acisensa][debug][IseDiscovery::HttpDiscoveryCallback] Http callback, target enroll.cisco.com, stat=-5, 0
[Sun May 29 18:57:44.907 2016][acisensa][debug][IseDiscovery::CancelTimeout] CancelTimeout discoveryRequestCount=0, target status=-5

regards

Marvin Rhoads · ‎05-29-2016

I've not used the NAC Agent (which is EoS) but rather the newer AnyConnect ISE Posture Agent. I found a few threads commenting on that failed attempt to reach enroll.cisco.com:

https://communities.cisco.com/thread/59778?start=15&tstart=0

https://supportforums.cisco.com/discussion/11795926/ise-redirect-install-nac-agent-anyconnect-users-split-tunnel

Per the admin guide, that's a last resort URL it goes to when it doesnt get a response from the ISE server(s):

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html

Do you have the NAC agent resources on the PSNs?

Alcides Miguel · ‎05-30-2016

I'm not using the NAC Agent, if take a look at the folder the binary that is downloaded is the Anyconnect. and I don't what's happening. that communication fail and the download is trying to go to internet. because I've the any connect resources in ISE.

regards,

Marvin Rhoads · ‎05-30-2016

Is it possible that your PSN is behind a firewall or load balancer and the SWSS ports (tcp-udp/8905) aren't being allowed through?

Alcides Miguel · ‎06-02-2016

Through ASDM I can't see any packet being denied.

I've installed the compliance module manually but the posture is not working at all... I've the anyconnect installed but is not being detected by client provisioning portal.

Please help.

Regards,

Alcides